Redefining Static Analysis A Standards Approach Mike Oara CTO, Hatha Systems
Software Analysis for Compliance Compliance Assessment Requires Software Analysis Dynamic Analysis Option Static Analysis Performed on executable programs built from that software system running on a real or virtual processor Performed without executing programs, but by employing complex analytical tools which investigate the actual source code of the system 12/16/2010 Hatha Systems, LLC 2
Dynamic Analysis Methods Benefits Limitations Inspecting the user interfaces Performing multiple incident specific tests Measuring performance Checkingmemory allocation Configuration Management No source code required A realistic view of the software system in action Performance data available Lockingdown system removing unnecessary access No certainty of code coverage Numberof tests maybe overwhelming Difficult to replicate runtime environment Flight 501, which took place on June 4, 1996, was the first, and unsuccessful, test flight of the European Ariane 5 expendable launch system. Due to an error in the software design (inadequate protection from integer overflow), the rocket veered off its flight path 37 seconds after launch and was destroyed by its automated self-destruct system when high aerodynamic forces caused the core of the vehicle to disintegrate. It is one of the most infamous computer bugs in history. (Wikipedia) 12/16/2010 Hatha Systems, LLC 3
Static Analysis Methods Benefits Limitations Architecture diagrams Data flows Control flows Investigative queries Software measurements Pattern discovery Simulation System understanding in breath and depth Direct discovery of noncompliance Pinpointing errors in the code, architecture, process Proof of compliance No guesswork testing No performance data Some run-time conditions may not be captured Source code is required Source code Parsing Repository model Analysis Comprehensive System Diagrams User Definable Queries Both comprehensive and Custom/specialized analysis tools 12/16/2010 Hatha Systems, LLC 4
Static Analysis: Platform Diagrams Definition A diagram of relationships between runtime elements of the application (programs, transactions, tables, files, queues, etc.) Compliance applications Is the application properly layered? Are all data access methods done through an API layer? Which elements of the application work with confidential or secret information? 12/16/2010 Hatha Systems, LLC 5
Static Analysis: Data Flows Definition Shows dependencies between variables Compliance applications What data appears in a user interface?(hipaa) Was data encrypted before being stored or transmitted? 12/16/2010 Hatha Systems, LLC 6
Static Analysis: Control Flow Definition Shows flow dependencies between statements Compliance applications Is data validated before being processed? What conditions lead to a particular action? (example: approval of a request) 12/16/2010 Hatha Systems, LLC 7
Static Analysis: Queries Static analysis tools look at the code as raw data. They can therefore query and discover predefined patterns of concern for compliance. Example To guard against internal attacks, find if there is any place in the code where special logic is executed for a particular hard-coded account. //ActionElement[@kind="Branch" and exists(->argument[@name like "*CUST*"]) and exists(->argument:valueelement)] Query Find mixed IO programs Find data validations Find coding patterns Compliance applications Compliance to architecture standards. User interfaces should be separated from data access. Is data correctlyvalidated before being accepted to be processed? Discover common code weaknesses Query results can be immediately seen in the context of data flows, control flows or platform architecture! 12/16/2010 Hatha Systems, LLC 8
Static Analysis: Offering evidence Reports based on queries Activity log 12/16/2010 Hatha Systems, LLC 9
Current Static Analysis Approach Practical difficulties Issue Largevariety of languages and technologies Large variety of regulatory requirements Largevariety of regulatory authorities Flexibleuse of advancementsin the technology and methodology of analysis Consequences No static analysis tools cover all technologies. If many tools are used, results are hard to merge. No staticanalysis tool covers all requirements. Some may offer good data flow analysis, some good queries for weaknesses, some good architecture diagrams. Each regulatory authoritymay require a certain type of reporting Tools and their approachescanquickly become obsolete;stovepipedsolutions while some tools may improve more. How can you switch without sacrificing the current investments? Solution Use of standard models, commonly accepted terms, commonly accepted methodologies and reporting. 12/16/2010 Hatha Systems, LLC 10
Standard models: KDM DR6 Knowledge Discovery Metamodel(KDM):an ISO/OMG Standard providing ontology (a set of definitions) for system knowledge extraction and analysis. KDM provides a framework for the capture of code, platform and other software system characteristics. This further allows the extraction of data flows, control flows, architectures, business/operational rules, business/operational terms, and the derivation of business/operational process; the extraction can be delivered from source, binary, or byte code. Additionally the intermediate representation of the extraction is in executable models creating the possibility of simulation and code generation. 12/16/2010 Hatha Systems, LLC 11
Slide 11 DR6 Recapture from OMG site Dennis Rosynek, 11/26/2010
Standard models: SBVR SBVR (Semantics of Business Vocabulary and Business Rules):An ISO/OMG standard, this specification provides a structured process for formalizing, in natural language, the existing English language representation of compliance points. The standard enables the various compliance specifications (e.g. FISMA, HIPAA, SOX, FIPs, CWEs, etc) to be formalized reducing the room for interpretation from organization to organization when implementing the compliance and auditing requirements. 12/16/2010 Hatha Systems, LLC 12
Standard models: BPMN DR5 Business Process Modeling Notation (BPMN): an OMG standard delivering a modeling notation used to capture business/operational processes in support of system and organizational process simulation and analysis. It is used today to capture both human and IT system processes for the purposes of simulating environments both as is and to be for software modernization. This notation is compatible with KDM so that system extraction can be represented in BPMN for gap analysis of the current state of the system vs. what is thought to be the current state of the system critical for modernization and compliance. 12/16/2010 Hatha Systems, LLC 13
Slide 13 DR5 Recapture from internet the photo for the granularity Dennis Rosynek, 11/26/2010
Standard models: RDF Data/Metadata Storage Standard (RDF): With the emergence of the standards noted above and the need for storing this information for analysis, a set of storage standards needed to be embraced. XMI, RDMBS, and RDF (Resource Description Framework) are the three formats that are compatible with these standards. RDF -perhaps the least known of them - is a W3C standard that is compatible with KDM and BPMN. There is a specific approach in the standard called RDF triple store which is currently being used in semantic web applications. The value of RDF is that it can manage large amounts of data and metadata which is critical for doing comprehensive static analysis. 12/16/2010 Hatha Systems, LLC 14
Enterprise Software Systems Static Analysis Standards Mapping Business Transaction Process Modeling/Simulation (BPMN Standard) Formal Representation of Semantic Controls (FISMA, CC, FIPs, CWE, HIPAA etc) (SBVR Standard) Extraction of Configuration Data (including black box interface data) (KDM Standard) Data Store using XMI, RDF, RDBMS; Analytics/Correlation Automated Extraction of Business Processes (BPMN Standard) Inputs (BPMN & SBVR) into Analysis Environment (KDM) for gaps and compliance analysis Enterprise System Static Analysis (Modernization, System Integration, Security, Compliance, Assurance) Common Repository/ Common Data Format Sparql Querying Automated Extraction of Business Rules (KDM Standard) Automated Extraction of System Architecture (KDM Standard) Extraction of system Data Flows and Control Flows (KDM Standard) Automated Extraction of Code Weaknesses Within System (KDM Standard, etc) Legend: KDM: Knowledge Discovery Metamodel ISO standard RDF: Resource Description Framework W3C standard BPMN: Business Process Modeling Notation OMG standard SBVR: Semantics of Business Vocabulary and Rules - ISO standard Business Rules Analysis (RIF Standard) Hatha Systems, LLC, Aug 2010
Static Analysis & Standards A Scenario Parsing Cobol/CICS/DB2 C/C++ Java Tool A Tool B Tool C KDM Repository Tool D Tool E Tool F Tool G Analysis Architecture Common weaknesses Extraction Business rules Processes 12/16/2010 Hatha Systems, LLC 16
Thank You Mike Oara mike.oara@hathasystems.com 919-931-9997